From “A Hospital’s Safety Lessons”
Security Management (10/16) Abdulaziz Al Essa, Ibrahim. Printed by ASIS.
A deadly fire that broke out at Jazan General Hospital in Saudi Arabia last December has been attributed to negligence by hospital and Ministry of Health officials as well as poor design and implementation of the building. The fire, which killed 25 people and injured 124, was caused by an electrical short circuit on the first floor of the hospital. Hospital staff members were able to evacuate all patients on the first floor, but the resulting smoke density and escalation to the hospital’s upper floors caused deaths due to asphyxiation. Defects in the building’s fire isolation and alarm system and faulty oxygen extension pipes also facilitated the fire’s spread. The Ministry indicated that the hospital staff’s lack of security and safety training led to an increase in deaths and injuries during the evacuation process. The hospital did not have an incident command team, mechanisms to control emergency exits, or fire extinguishing systems. The evacuation process was further hampered by cars and bystanders congesting the area outside the hospital. Hospital officials ignored the warnings of the Saudi Arabia Civil Defense Agency prior to the facility’s opening in 2009, including concerns that the contractor hired to construct the building committed several engineering errors.
From “Yahoo Says Information on at Least 500 Million User Accounts Was Stolen”
Wall Street Journal (09/23/16) McMillan, Robert. Posted by ASIS.
Yahoo Inc. reported Thursday that hackers backed by an unnamed foreign government had stolen personal information from more than 500 million of its users’ accounts. Hackers penetrated Yahoo’s network in late 2014 and stole personal data on more than 500 million users. The stolen data included names, email addresses, dates of birth, telephone numbers, and encrypted passwords, Yahoo said. Yahoo said it believes that the hackers are no longer in its corporate network. The company said it did not believe that unprotected passwords, payment-card data, or bank-account information had been affected. In July, Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale was not legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.” Yahoo did not say how the hackers broke into its network or which country sponsored the attacks. The intrusion, in 2014, came during a period when many computer attacks were believed to be the work of China. More recent hacks, however, including of the Democratic National Committee earlier this year, have been blamed on Russia. Both countries have denied involvement in the hacks. The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected, said Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House.
From “Crooks Are Selling a Skimmer That Works on All Chip Card Readers”
CSO Online (08/31/16) Korolov, Maria. Posted by ASIS.
Researchers have found a website that claims to sell “the most advanced EMV chip data collector in the world.” The seller says that the device is powered by the point of sale terminal, and can hold information on up to 5,000 credit cards in its memory. The equipment can also be used on machines made by Ingenico and Verifone, as well as terminals on gas station pumps, ticket purchase stations, and on small ATMs, specifically those manufactured by Triton. Andrei Barysevich, director of Eastern European research and analysis at Flashpoint, says that the device is primarily targeted towards Latin America. Latin America is still reliant on static data authentication chips, which allow criminals to create usable new chip cards with the data they catch, making it an easier target. Barysevich also says that the “technology can be used in any point of sale device. It literally takes less than 10 seconds to install, and once installed, it stays there forever.” He said that terminal manufacturers have been notified about the issue.
From “Laptops Most Often Stolen From Most Unlikely Place”
CIO (08/15/16) Olavsrud, Thor. Posted by ASIS.
According to Kensington’s IT Security & Laptop Theft report, the No. 1 place employees had experienced IT theft was ‘cars and transportation’. The No. 2 response, coming in ahead of ‘airports and hotels’ and ‘restaurants’ was the office. Kensington, a supplier of desktop and mobile device accessories, surveyed 300 U.S. IT professionals from a range of industries for the report. The company found that 34 percent of organizations do not have a physical security policy in place for their laptops, mobile devices, and other electronic assets. Additionally, 54 percent of respondents do not currently use physical locks for IT equipment. “Since studies confirm that well-implemented security can significantly decrease laptop theft by as much as 85 percent, it’s important for IT personnel to consistently utilize physical locks for computing and mobile equipment to provide resistance to tampering and theft,” said Rob Humphrey, director of Global Product Management, Security, Kensington.
From “Police: Laptop Used to Reprogram, Steal More Than 100 Cars”
Associated Press (08/05/16) Posted by ASIS.
Police have arrested two men in Houston for allegedly using pirated computer software to steal more than 100 vehicles. Michael Arce, 24, and Jesse Zelaya, 22, focused on new Jeep and Dodge vehicles that are lucrative on the black market in Mexico, authorities said. Using a laptop computer, the men allegedly reprogrammed the targeted vehicles’ electronic security so their own key worked. The stolen vehicles relied on a common software used by auto technicians and dealers, according to Houston police officer Jim Woods. Computer security expert Yoni Heilbronn says computerization and Internet connectivity increase vehicle security in some ways, but also increase the risk of theft and malicious disabling. Automakers are cooperating to develop best practices and to share information on cybersecurity threats.
WIRED. ANDY GREENBERG.ANDY GREENBERG 08/10/2016
In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.
See full story at https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/
From “Local Schools to Use New Security App Directly Connected to Police”
WSBTV.com (Atlanta, GA) (08/08/16) Petchenik, Mike. Posted by ASIS.
The Fulton County school district in Georgia recently launched the QuickTip app, which allows anyone to anonymously report something suspicious to Fulton County school police. School officials hope the app will help keep kids safe in class. Fulton County Schools Director of Safety and Security Shannon Flounnory said he hopes the app will stop a range of bad student behavior. Anyone can download the app on their smart phone through the Fulton County schools app or access it online. The district launched it quietly last year and Flounorry says they’ve had some success.
Full Story: http://www.wsbtv.com/news/local/north-fulton-county/local-schools-to-use-new-security-app-directly-connected-to-police/419250001